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Abstract. This draft suggests a new counterexample guided abstraction 
refinement (CEGAR) framework that uses the combination of numerical 
simulation for nonlinear differential equations with linear programming 
for linear hybrid automata (LHA) to perform reachability analysis on 
nonlinear hybrid automata. A notion of e— structural robustness is also 
introduced which allows the algorithm to validate counterexamples using 
numerical simulations. 



1 Introduction 

The model checking of hybrid automata remains a challenge and the existing 
tools j6l4| do not scale up to the needs of the industry. Because of the well known 
fundamental undecidability results |2] , the model checking of general hybrid au- 
tomata often proceeds by building successive tighter approximations to these 
hybrid automata in a relatively easy-to-analyze fragment of hybrid automata 
like Linear Hybrid Automata [7] . Theoretical results about the asymptotic com- 
pleteness of this approximation procedure form the backbone of such a strategy 
behind the model checking of nonlinear hybrid automata. 

There has been considerable interest in applying Counterexample Guided 
Abstraction Refinement (CEGAR), which works so well with discrete systems, 
to the problem of hybrid system verification f2j . There has also been some ex- 
ploration of using fragments instead of counterexamples during abstraction re- 
finement |3] and the application of CEGAR specifically to LHA [5]. However, 
our ongoing work makes the following new contributions to the abstraction re- 
finement based analysis of hybrid systems. 



— We address the problem of abstraction refinement for nonlinear hybrid au- 
tomata and use CEGAR to construct successively refined LHA approxima- 
tions. Our refinement is lazy and hence, refines some parts of the state space 
more finely than others. 

— We use the distance between a feasible path in the abstract linear hybrid 
automata and the numerically simulated trajectory in the nonlinear hybrid 
automata to refine those locations in the LHA that do not faithfully represent 
the behavior of the nonlinear hybrid automata. 



— We define a structural notion of robustness and use it to present a counterex- 
ample validation algorithm (for a rich class of nonlinear hybrid automata) 
using linear programming [3]. Hence, it is possible to detect reachability of 
a bad state even before the abstraction refinement loop terminates. 

2 Background on LP based path feasibility analysis of 
LHA 

Informally, a linear hybrid automaton is a conventional automaton extended 
with a set of continuous variables. The states of the automaton called locations 
are annotated with a change rate for each continuous variable such as i = [a, b] 
{x is a variable, and [a,b] is a rational interval), and the transitions of the au- 
tomaton are labeled with constraints on the variables such as a < q CiXi < b 
and /or with reset actions such as x := c {xi and x are variables, a, b, and Ci 
are real numbers). Such linear hybrid automata are essentially equivalent to the 
definition given in [5] . It is known that this subclass of linear hybrid automata 
are sufficiently expressive to allow asymptotic completeness of the abstraction 
process for a general hybrid automata. " A restricted form of linear phase por- 
trait approximations are asymptotically complete, namely, when all automaton 
constraints are over-approximated using independent, rational lower and upper 
bounds on the values and derivatives of each variable" [Ij.For simplicity, we sup- 
pose that in any linear hybrid automaton considered in this paper, there is just 
one initial location with no initial conditions and no transitions to the initial 
location (we assume that each variable with an initial value is reset to the initial 
value by the transitions from the initial location). 

Definition 1. A linear hybrid automaton is a tuple H = {X,V,E,vi,a,P), 
where 

— X is a finite set of real-valued variables. 

— V is a finite set of locations. 

— E is transition relation whose elements are of the form (u, (f), ip, v') where 
v,v' are in V, (f> is a set of guards or variable constraints of the form a < 
YliLo '^i^i — ^' ^^'-^ ip is a set of reset actions of the form x := c where 
Xi € X (0 < i < m), X £ X , a,b and c,; {0 < i < m) are real numbers, and a 
and b may be oo. 

— vj is an initial location. 

— a is a labeling function which maps each location in V — {vj} to a state 
invariant which is a set of variable constraints of the form a < X]i=o — ^ 
where Xi G X (0 < i < m), y G X, a, b, and (0 < i < m) are real numbers, 
a and b may be oo. 

— /3 is a labeling function which maps each location in V — {vi} to a set of 
change rates which are of the form x= [a,b] where x € X, and a,b are 
rational numbers (a < b). For any location v, for any x £ X, there is one 
and only one change rate definition x= [a, b] S P{v). 

□ 
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For a linear hybrid automaton H = {X, V, E, vi, a, (3) , a path segment is a 
sequence of locations 

Vl > V2 > . . . > Vn 

which satisfies {vi, (j)i,4'i,Vi+i) G E for each i (1 < i < n — 1). A path in 
is a path segment starting at u/. The behavior of linear hybrid automata 
can be represented by timed sequences. Any timed sequence is of the form 
{vi, tl)" (v2, ^2)" • ■ • "(vm tn), where Vi {1 < i < n) is a, location and ti {1 < i < n) 
is a nonnegative real number, which represents a behavior of an automaton that 
the system starts at the initial location and changes to the location wi, stays 
there for ti time units, then changes to the location V2 and stays in V2 for t2 
time units, and so on. 




VQ Vl V2 



Definition 2. For a linear hybrid automaton H = {X,V, E,vi ,a, (3), a 
timed sequence (wi, ii)"('y2, ^2)* in) represents a behavior of H if the 

following condition is satisfied: 

— there is a path in H of the form 

Vo — > Vl — > . . . — > Vn ; 

— ti,t2, ■ ■ ■ ,tn satisfy all the variable constraints in 0; (1 < i < 71 — 1), i.e. for 
each variable constraint a < cqxq + cixi + . . . + CmXm < b in (pi, 

5k < li{xk) < for any fc (0 < fc < m), and 
a < co7i(.To) + ci7,;(a;i) + . . . + c„j7j(a:„) < b 

where ^i{xk) (0 < fc < m) represents the value of the variable Xk when the 
automaton stay at Vi with the delay tf, and, similarly, 

— ti,t2, ■ ■ ■ ,tm,"yi{xk), Xi{xk) satisfy the state invariant for each location Vi 
{1 < i < n), where ^i{xk) (0 < fc < m) represents the value of the variable 
Xk when the automaton stay at Vi with the delay ti, and \i{xk) {0 < k < m) 
represents the value of the variable Xk after leaving state Vi and after the 
reset conditions have been applied. 
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Now, we use linear programming to test the feasibility of a single path for 
the reachability analysis of linear hybrid automata. Let H = {X,V, E,vi, a, P) 
be a linear hybrid automaton, , and p be a path in H of the form 

vo — > Vl — > . . . — > v„ 

where Vn — v. For any timed sequence of the form (wi, ti)"(v2, ^2)" • ■ • '(^^n, ^n), 
if p is feasible, then the following condition must hold: 

— ti, t2, . . . , tri satisfy all the variable constraints in (/)i(0 < i < n), and 

— ti, t2, . . . , tri satisfy all the variable constraints in a{vi) (1 < i < ri), 

which form a group of linear inequalities on ti, i27 • ■ • , ^n, li{xk), Xi{xk) (see 
Definition 2), denoted by 0{p) or LPp{ti,'-fi{xk), Xi{xk))- It follows that we can 
check if p is a feasible path by checking if the group 0{p) (or LPp (i^ , 7^ (xfc ), Ai (xfc )) ) 
of linear inequalities has a solution, which can be solved by linear programming 

3 Background on Abstraction of AfRne dynamics by LHA 

Given a general hybrid system H = {X, V, E, vj, a, f3) where X is a finite set of 
real- valued variables, 1^ is a finite set of locations, E is transition relation whose 
elements are of the form (w, 0, ip, v') where w, v' are in V , (j) \s a, set of guards or 
variable constraints of the form a < Xll^lo '^^^^ — ^' ^^'^ ip is a. set of reset actions 
of the form x := c where Xi € X {0 < i < m), x € X , a,b and q (0 < i < m) are 
real numbers, and a and b may be 00, u/ is an initial location, a is a labeling 
function which maps each location in V^— {vi} to a state invariant which is a set 
of variable constraints of the form a < Xli=o — ^ where Xi € X (0 < i < m), 
y € X, a, 6, and (0 < i < m) are real numbers, a and b may be 00, /3 is a 
labeling function which maps each location in — {vi} to a set of change rates 
which are of the form Xj— f{xo, xi, . . . , Xm, ig, ii, . . . , Xm, oo, ai ■ • ■ Om) where 
Xq , Xl . . . Xm e X, and ao, ai . . . , a„ are real numbers). For any location v, for 
any x € X, there is one and only one change rate definition. 

We construct (in a fashion similar to |6|4j ) a linear hybrid automata Ha 
which is an over-approximate abstraction of the general hybrid automata H. We 
define an operator split which divides a location into smaller locations and use 
this to divide each location Vi of the original hybrid automaton. 

Definition 3. Let v be a location and Xi £ X be a variable in a hybrid automata 
H = {X,V, E,Vi, a, f3) . Suppose luy = {w™, . . . u™} be the locations from 
which there is a transition into the location v and Out^ = {w™*, . . . w™*} 
be the locations to which there is a transition from v. Also, C be a set of linear 
constraints on X. Then, the operator split {H,v,C) constructs a new hybrid 
automata H' = {X, V' , E' ,Vi, a' , (3'), where 

— V' ^VU{v',v"}\v 
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- a' = aU {«(«'), a{v")} \ {a{v)}, where 

• a{v') = a{v) U {C} 

• a{v")^a{v)U{^C} 

- E' = E\{ {iVin,(l)v,„,v,1pVi„,v,v)\Vin G 7n„ }U{ (l), <^i,,„„„j , l/'i,,t,„„t , ^out ) I ^oui G 
Out„} ) U ( {{Vin,(l)y^^^y,1py^^^y,v')\Vin £ /"i, } U { W ' , </>i, , „„„ j , l/"!) , t , ^ou 1 1 Wqu t G 
Owti,} U {(«,;„, (/i^,„,„,'0t;i„,t;,'y")k™ G -^««} U {u", ■!/',;,t;o„t , "yout |?^o«t G 

0«i4 ) U {K, aK, «") = C, {}, t;") , K, aiv", v') = ^C, {}, v')} 

- f3' = f3u {/3{v'),f3{v")} \ piv), where 

. = /3(z;) 

. P{v") - /3(z;) 



■_os Sv-_OS 
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Location Tree for location 113 



We call the new locations v' and v" as the children of v. In particular, v' = 
child{v, C) and v" = child{v, -^C), where C is the set of linear constraints used 
to split V. We also call v as the parent of v' and v" . Thus, the split operator 
naturally defines a tree of locations that we call the location tree , where the 
children location are formed by splitting the parent location. 

Definition 4. L HA- approximation to a general hybrid automata: Given a gen- 
eral hybrid automata H ~ {X,V, E,Vi,a, f3), Ha = {X,Va, Ea,Vi^,aa, Pa) is a 
L HA- approximation iff 

— There exists a hybrid automata H' = (X,V' , E' , a' , f3'), where H' = 
split" (H). 

— K = V, Ea = E', VI ^ V^,a' = Oia 

— Vw G 14, PaW) 3 f^'v ^'^'^ */ c G f3a{v), then c is of the form x :— [a, b], where 
a, ben. 
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4 Definitions 

The linear hybrid automaton Ha is an over-approximate approximation of the 
general hybrid automata H . A path p = {wq, vi, ■ ■ ■ v,n\i where Vi &V is said to 
exist in Ha if {vi, G i?, < i < m. 

Consider a path p = {vq^vi, . . .Vm} that exists in the abstract linear hy- 
brid automata model Ha and let LPp{ti,^i{xk),\i{xk)) be the linear program 
corresponding to the path. If the linear program LPp has a feasible solution, 
then the path is said to be feasible in the abstract model i.e. the linear hybrid 
automaton; otherwise it is said to be infeasible . 

Definition 5. Trace: Given a feasible path p in the abstract linear hybrid au- 
tomaton model Ha, the feasible solution to the LP program LPp{ti, jiixk), Xi{xk)) 
is called a trace of Ha ■ 

We writetrace{Ha) =< {vq,Xo{xq) , Ao(a;i) . . . Ao(a;„), 7o(a;o), 7o(a;i), . . .7o(x„),to), 

{vi,Xi{xo), Ai(xi) . . . Ai(x„), 71 (xo), 71 (^^i), • ■ ■li{xn),ti) (wm, Am(a;o), 

A,„(a;i) . . . A,„(x„), 7m(a;o), 7m(a;i), . . . 7,„(x„), t,„) >. 

It is known [9j that the trace obtained by the linear program is a real execu- 
tion trace of the over-approximate linear hybrid automata. 

Definition 6. Concretization of a path: Consider a path p = {vo,vi, . . .Vm} 
that is feasible in the abstract linear hybrid automata model Ha ■ Then, the con- 
cretization of this path in the original hybrid automata H is the trace Pconcrete = 
. . .v^°*}, where vl°°* is the root of the location tree in which Vi is 

a leaf. 

As the split operator forms a tree of locations in the abstract linear hybrid 
automata, the root of the location tree is known and the concretization of an 
abstract path is well defined. 

Definition 7. Concretization of a trace: Consider a trace tr (uo,Ao(a;o) 
, Ao(xi) . . . Ao(a;„),7o(a;o) ,70(2^1), • • ■ 7o(a;«), io), (wi, Ai(a;o), Ai(a;i) . . . Ai(x„),7i 

(a;o),7i(a;i), . . . 7i(a::„), ti) {vm, \ra{xo) , Xra{xi) . . . Xmixn), 7m(a^o),7m(xi), 

. . . "fmixn), tm) > Corresponding to the path p = {wq, "^i, • ■ • ^^m} that is feasible 
in the abstract linear hybrid automata model Ha ■ Then, the concretization of this 
trace in the original hybrid automata H is the trace trconcrete =< (^5°°*' ^o{xo), 
Ao(a;i) . . . Ao(x„),7o(xo),7o(a;i), . . . 7o(a;„),to), (w^"*, Ai(xo), Ai(xi) ...Ai(a;„), 

7l(a;o),7l(xi), . . . 7l(a;„),tl) {v'^°\ \ra{xo) , Xra{xi) . . . Xra{Xn),lra{xo), 

lm{xi), ■ ■ . Jmixn),tm) > , whcrc is the root of the location tree of which 
Vi is a leaf. 

Definition 8. e-Simulation Trajectory: Given a valuation of X i.e. Valo{X) = 
{xq = xO,xi = xl,...Xn = xn) in a location v of a general hybrid system 
H = (X, V, E, Vi,a, P), then r(xO, xl, . . . xn, v, t) is said to be an e— simulation 
trajectory for location v with initial valuation Valo{X) iff 

— T{t = 0) = {xO, xl, . . . , xn) 
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— if f(xf), xi, . . . , Xn, t) is the solution to the initial value problem {(3(y), ValQ{X)), 
then f {t) - e < r(i) < f{t) + e 

It is known that numerical techniques can solve the initial value problem for 
ODEs (including non-linear ODEs) quiet efficiently. 

Definition 9. e— Hybrid Simulation Trajectory: Given an initial valuation of 
X i.e. ValQ{X) = (xq = xO, xi = xl, . . .Xn = xn) and a path p = {wq, vi . . . Vm} 
in a general hybrid system H = (X, V, E, Vi, a, (3), then t{xq, Xi^ . . . Xn) ~ fit) 
is said to be an e— hybrid simulation trajectory iff 

— r(0) = ValoiX) and Valo{X) G a(wo) 

— if Xk := e e ilj{vi,Vi+i) then T{xk,YlQi'ti)+ = e) else r(xfe, X^o = 
Tixk,J2litt)~) 

— Before executing the jump (vi,Vi-f.i), T(xk,'^Q{ti)^) satisfies every precon- 
dition in (j)(vi,Vi^i) 

— Within each location Vi where the timed path has spent time ti, 

• yt,ti < t < ti+i, r(w, ^Q(ti) + t) is an e— simulation trajectory for 
location Vi with initial valuation VuIq = TC^liiU))- 

Definition 10. Guided Simulation Trajectory of the concretization of a trace : 
An e— hybrid simulation trajectory t is said to be a Guided Simulation Trajectory 
of a concretized trace tr concrete iff 

— The initial valuation of X i.e. Val^iX) = (xo = xQ^xi = xl,...Xn ~ xn) 
for the trajectory t is the initial point in the concretized trace tr concrete ■ 

— The e— hybrid simulation trajectory r corresponds to the path p — {wq? f i ■ • ■ Vm\ 
corresponding to trcocnrete 

5 CEGAR based Refinement of the abstract linear 
hybrid automata 

The CEGAR algorithm repeatedly constructs LHA over-approximations to the 
given (possibly nonlinear) hybrid system and then asks a LHA analysis engine 
if the over-approximate LHA admits any counterexample. If it does not, we 
are done and we report that the original hybrid system has no counterexample 
either. Otherwise, we take the reported counterexample of the over-approximate 
LHA and attempt to validate it using numerical simulation. If we succeed in 
validating the counterexample, we report an error that the bad state is reachable 
and STOP. Otherwise, we find a location where we need to split the nonlinear 
hybrid automata and then rebuild a more precise over-approximate abstraction. 
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Algorithm for CEGAR 

(Input: Nonlinear Hybrid Automata A. Output: Error No error 

1. Aq = A; i := Q: L = Universe. 

2. LHAi = LHA-approximation {Ai) 

3. C{LHAi) := Language of LHAi. ^ represents tlic set of po- 
tential counterexamples in A.^ (finitely expressible as a regular 
expression) 0. 

4. L = L n C{LHA,) 

5. If L is empty, report "BAD STATES NOT REACHABLE" 
and stop. 

6. Pick a counterexample ce in i. 

7. Validate the counterexample ce in the original hybrid au- 
tomata A. 

8. If ce is validated in A, stop and report that ERROR STATE 
IS REACHABLE. 

9. Compute a refinement operator split, and A^+i = split{Ai). 
Also, compute L = split[L). 

10. i i + 1 

11. Loop to Step 2. 



5.1 Counterexample Validation and Structural Robustness 

Let wq, 7o(2;o)j 7o(2;i) . . . 7o(2;n), io be the initial point in a concretized trace 
trconcrete for the abstraction i.e. the linear hybrid system Ha corresponding to 
the general hybrid system H. Let T(^vo.xo,xi,...x„) be the e— Hybrid Simulation 
Trajectory starting from this initial point. 

Definition 11. e— Structurally Robust Hybrid System: A hybrid system H = 
{X,V, E,Vi, a, f3) is said to be structurally robust iff 

— V«, (wi, (/), V', '^i+i) £ E, every constraint c in (j) is satisfied by at least a 
dense set of size e i.e. If S ~ {Val — (xq, xi, . . . Xn)\Val satisfies c}, then 
maxa(zs'^i'nbesd{a,b) > e. 

In particular, we allow only sampled comparisons x :=e c, which is a short- 
hand for [|J X e < X < [|] X e. 

Definition 12. e Robust Hybrid Simulation Trajectory: Given an initial val- 
uation of X i.e. Valo{X) = (xq = xO,xi = xl,...Xn ~ xn) and a path 
p = {vo,vi...Vm} in a general hybrid system H = {X,V, E,Vi,a, l3), then 
t{xo, xi, . . . Xn) = f{t) is said to be an e— robust hybrid simulation trajectory iff 

- t(0) = ValaiX) and ValaiX) e a{vo) 

- if Xk := e G -(/"(wi, w^+i) then T{xk,Y.o{^'i)+ = e) else T{xk,J2oi^i)+) = 

— Before executing the jump {vi,Vi+i), T{xk,J2oi'^i)^) satisfies every 
precondition in Wi+i) e— robustly . 
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• A linear constraint c is e— robustly satisfied by X ~ {xo,Xi, . . .) iff for 
every X' such that d{X,X') < e), c(X') is true. 

— Within each location vi where the timed path has spent time ti, 

• Vi; < t < ti+i, r(w, '^Qiti) + t) is an e— simulation trajectory for location 
Vi with initial valuation VoIq = T^J^oiti))- 

Theorem 1. If T(^vo,xo,xi,...Xrt) ^~ Robust Hybrid Simulation Trajectory 

starting from the initial valuation Valo = 'yo{xo),'yo{xi) . . .joi^n), o,nd H be 
a e— structurally robust hybrid system, then trconcrete corresponds to a real 
counterexample for the hybrid system H . 

Proof. The proof follows from the definition of e— robust hybrid automata and 
the notion of e— hybrid simulation trajectory. 

5.2 Simulation Based Abstraction Refinement 

Consider the concretization of a trace trconcrete with respect to the general hybrid 
automata H obtained from a trace tr of the abstract linear hybrid automata Ha. 
Also, consider the guided hybrid simulation trajectory Ttr^anar^ta corresponding 
to the concretization of the trace tr with respect to the general hybrid automata 
H. 

Metrics for distance between trace and trajectory We define two dis- 
tance metrics between a trace and the corresponding guided hybrid simulation 
trajectory. 

— D{t) = d{Ttr,^^^,.^^^{t),trconcreteit)). 

This is simply a distance metric between corresponding points on the trace 
and the trajectory. The metric d may be the Euclidean distance metric or 
the Manhattan distance metric (linear function). 

— D'{t) = d'{d{Ttr,„^,^„^tSt),trconcrete{t)),d{Ttr,„„„,t,{t~),trconcrete{t-)) 

This metric measures how rapidly the guided hybrid simulation trajectory 
is moving away from the trace. The metric d may be the Euclidean distance 
metric or the Manhattan distance metric (linear function), while the metric 
d' may be the real difference, t— represents the last instant of time for which 
the value of the concretized trace is known. 

Strategies to choose the location to be refined Let ti be the discrete 
point on the concretization of a trace i.e. on trconcrete for which trconcrete{t) is 
known from the solution of the LP problem. There are few different strategies to 
choose the location in the approximate linear hybrid automata, where one needs 
to refine the abstract hybrid automata Ha- 

— mini\D{ti)\ > e , where e is an empirically determined constant. 

— mini\D' iti) — D'{ti-i)\ > e, where e is an empirically determined constant. 
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— mini\D' (ti) / D' {ti-i)\ > e, where e is an empirically determined constant. 

After finding out the point ti where one needs to refines the location, the 
location Vi at the time ti which needs to be split is easily known from the 
concretized trace. 

Choosing the variable to split the location When a simulation trajectory 
differs substantially from the trace obtained by the LP solution, we need to split 
the location at which the difference is substantial along a hyperplanc such that 
the abstract hybrid automata formed by the linear hybrid automata has a trace 
that is close to the simulation trajectory. Let D be the metric used to decide if 
a given location should be refined; then we split those variables into half-spaces 
which have contributed beyond a threshold to D. 

6 Conclusion and Future Work 

This early draft discusses the core issues involved in building a CEGAR frame- 
work for analyzing nonlinear hybrid systems. The central idea is to use linear pro- 
gramming as a mechanism for obtaining feasible traces of the over-approximate 
linear hybrid automata (LHA) abstractions and numerical simulation for obtain- 
ing a corresponding trace of the original (possibly nonlinear) hybrid system. The 
distance between these two traces is then used to guide the refinement step in 
our CEGAR loop. 

Several practical issues like the choice of the distance metrics, the choice of 
picking up a particular solution to the linear program and a characterization of 
the nonlinear functions which can be handled using this paradigm have been left 
to a more complete version of this draft. The techniques presented here are also 
being implemented into a tool which will be a successor to the IRA meta-tool 
for analyzing LHAs. 
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for linear hybrid automata (LHA) to perform reachability analysis on 
nonlinear hybrid automata. A notion of e— structural robustness is also 
introduced which allows the algorithm to validate counterexamples using 
numerical simulations. 



1 Introduction 

The model checking of hybrid automata remains a challenge and the existing 
tools [?,?] do not scale up to the needs of the industry. Because of the well known 
fundamental undecidability results [?] , the model checking of general hybrid au- 
tomata often proceeds by building successive tighter approximations to these 
hybrid automata in a relatively easy-to-analyze fragment of hybrid automata 
like Linear Hybrid Automata [?] . Theoretical results about the asymptotic com- 
pleteness of this approximation procedure form the backbone of such a strategy 
behind the model checking of nonlinear hybrid automata. 

There has been considerable interest in applying Counterexample Guided 
Abstraction Refinement (CEGAR), which works so well with discrete systems, 
to the problem of hybrid system verification [?] . There has also been some ex- 
ploration of using fragments instead of counterexamples during abstraction re- 
finement [?] and the application of CEGAR specifically to LHA [?]. However, 
our ongoing work makes the following new contributions to the abstraction re- 
finement based analysis of hybrid systems. 



— We address the problem of abstraction refinement for nonlinear hybrid au- 
tomata and use CEGAR to construct successively refined LHA approxima- 
tions. Our refinement is lazy and hence, refines some parts of the state space 
more finely than others. 

— We use the distance between a feasible path in the abstract linear hybrid 
automata and the numerically simulated trajectory in the nonlinear hybrid 
automata to refine those locations in the LHA that do not faithfully represent 
the behavior of the nonlinear hybrid automata. 



— We define a structural notion of robustness and use it to present a counterex- 
ample validation algorithm (for a rich class of nonlinear hybrid automata) 
using linear programming [?]. Hence, it is possible to detect reachability of 
a bad state even before the abstraction refinement loop terminates. 

2 Background on LP based path feasibility analysis of 
LHA 

Informally, a linear hybrid automaton is a conventional automaton extended 
with a set of continuous variables. The states of the automaton called locations 
are annotated with a change rate for each continuous variable such as i = [a, b] 
{x is a variable, and [a,b] is a rational interval), and the transitions of the au- 
tomaton are labeled with constraints on the variables such as a < q CiXi < b 
and /or with reset actions such as x := c {xi and x are variables, a, b, and Ci 
arc real numbers). Such linear hybrid automata are essentially equivalent to the 
definition given in [?] . It is known that this subclass of linear hybrid automata 
are sufficiently expressive to allow asymptotic completeness of the abstraction 
process for a general hybrid automata. " A restricted form of linear phase por- 
trait approximations are asymptotically complete, namely, when all automaton 
constraints arc over-approximated using independent, rational lower and upper 
bounds on the values and derivatives of each variable" [?] .For simplicity, we sup- 
pose that in any linear hybrid automaton considered in this paper, there is just 
one initial location with no initial conditions and no transitions to the initial 
location (we assume that each variable with an initial value is reset to the initial 
value by the transitions from the initial location). 

Definition 1. A linear hybrid automaton is a tuple H = {X,V,E,vi,a,P), 
where 

— X is a finite set of real-valued variables. 

— V is a finite set of locations. 

— E is transition relation whose elements are of the form (u, (f), ip, v') where 
v,v' are in V, (f> is a set of guards or variable constraints of the form a < 
YliLo '^i^i — ^' ^^'-^ ip is a set of reset actions of the form x := c where 
Xi € X (0 < i < m), X £ X , a,b and c,; {0 < i < m) are real numbers, and a 
and b may be oo. 

— vj is an initial location. 

— a is a labeling function which maps each location in V — {vj} to a state 
invariant which is a set of variable constraints of the form a < X]i=o — ^ 
where Xi G X (0 < i < m), y G X, a, b, and (0 < i < m) are real numbers, 
a and b may be oo. 

— /3 is a labeling function which maps each location in V — {vi} to a set of 
change rates which are of the form x= [a,b] where x € X, and a,b are 
rational numbers (a < b). For any location v, for any x £ X, there is one 
and only one change rate definition x= [a, b] S P{v). 

□ 
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For a linear hybrid automaton H = {X, V, E, vi, a, (3) , a path segment is a 
sequence of locations 

Vl > V2 > . . . > Vn 

which satisfies {vi, (j)i,4'i,Vi+i) G E for each i (1 < i < n — 1). A path in 
is a path segment starting at u/. The behavior of linear hybrid automata 
can be represented by timed sequences. Any timed sequence is of the form 
{vi, tl)" (v2, ^2)" • ■ • "(vm tn), where Vi {1 < i < n) is a, location and ti {1 < i < n) 
is a nonnegative real number, which represents a behavior of an automaton that 
the system starts at the initial location and changes to the location wi, stays 
there for ti time units, then changes to the location V2 and stays in V2 for t2 
time units, and so on. 




VQ Vl V2 



Definition 2. [?] For a linear hybrid automaton H = {X,V, E,vi ,a, (3), a 
timed sequence (wi, ii)"('y2, ^2)* in) represents a behavior of H if the 

following condition is satisfied: 

— there is a path in H of the form 

Vo — > Vl — > . . . — > Vn ; 

— ti,t2, ■ ■ ■ ,tn satisfy all the variable constraints in 0; (1 < i < 71 — 1), i.e. for 
each variable constraint a < cqxq + cixi + . . . + CmXm < b in (pi, 

5k < li{xk) < for any fc (0 < fc < m), and 
a < co7i(.To) + ci7,;(a;i) + . . . + c„j7j(a:„) < b 

where ^i{xk) (0 < fc < m) represents the value of the variable Xk when the 
automaton stay at Vi with the delay tf, and, similarly, 

— ti,t2, ■ ■ ■ ,tm,"yi{xk), Xi{xk) satisfy the state invariant for each location Vi 
{1 < i < n), where ^i{xk) (0 < fc < m) represents the value of the variable 
Xk when the automaton stay at Vi with the delay ti, and \i{xk) (0 < fc < m) 
represents the value of the variable Xk after leaving state Vi and after the 
reset conditions have been applied. 
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Now, we use linear programming to test the feasibility of a single path for 
the reachability analysis of linear hybrid automata. Let H = {X,V, E,vi, a, P) 
be a linear hybrid automaton, , and p be a path in H of the form 

vo — > Vl — > . . . — > v„ 

where Vn — v. For any timed sequence of the form (wi, ti)"(v2, ^2)" • ■ • '(^^n, ^n), 
if p is feasible, then the following condition must hold: 

— ti, t2, . . . , tri satisfy all the variable constraints in (/)i(0 < i < n), and 

— ti, t2, . . . , tri satisfy all the variable constraints in a{vi) (1 < i < ri), 

which form a group of linear inequalities on ti, i27 • ■ • , ^n, li{xk), Xi{xk) (see 
Definition 2), denoted by 0{p) or LPp{ti,'-fi{xk), Xi{xk))- It follows that we can 
check if p is a feasible path by checking if the group 0{p) (or LPp (i^ , 7^ (xfc ), Ai (xfc )) ) 
of linear inequalities has a solution, which can be solved by linear programming 

[?]• 

3 Background on Abstraction of AfRne dynamics by LHA 

Given a general hybrid system H = {X, V, E, vj, a, f3) where X is a finite set of 
real- valued variables, 1^ is a finite set of locations, E is transition relation whose 
elements are of the form (w, 0, ip, v') where w, v' are in V , (j) \s a, set of guards or 
variable constraints of the form a < Xll^lo '^^^^ — ^' ^^'^ ip is a. set of reset actions 
of the form x := c where Xi € X {0 < i < m), x € X , a,b and q (0 < i < m) are 
real numbers, and a and b may be 00, u/ is an initial location, a is a labeling 
function which maps each location in V^— {vi} to a state invariant which is a set 
of variable constraints of the form a < Xli=o — ^ where Xi € X (0 < i < m), 
y € X, a, 6, and (0 < i < m) are real numbers, a and b may be 00, /3 is a 
labeling function which maps each location in — {vi} to a set of change rates 
which are of the form Xj— f{xo, xi, . . . , Xm, ig, ii, . . . , Xm, oo, ai ■ • ■ Om) where 
Xq , Xl . . . Xm e X, and ao, ai . . . , a„ are real numbers). For any location v, for 
any x € X, there is one and only one change rate definition. 

We construct (in a fashion similar to [?,?]) a linear hybrid automata Ha 
which is an over-approximate abstraction of the general hybrid automata H. We 
define an operator split which divides a location into smaller locations and use 
this to divide each location Vi of the original hybrid automaton. 

Definition 3. Let v be a location and Xi E X be a variable in a hybrid automata 
H = {X,V, E,Vi, a, f3) . Suppose luy = {v™, . . . u™} be the locations from 
which there is a transition into the location v and Out^ = {wq"*, w^"** . . . w™*} 
be the locations to which there is a transition from v. Also, C be a set of linear 
constraints on X. Then, the operator split {H,v,C) constructs a new hybrid 
automata H' = {X, V' , E' ,Vi, a' , (3'), where 

— V' ^VU{v',v"}\v 
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- a' = aU {«(«'), a{v")} \ {a{v)}, where 

• a{v') = a{v) U {C} 

• a{v")^a{v)U{^C} 

- E' = E\{ {iVin,(l)v,„,v,1pVi„,v,v)\Vin G 7n„ }U{ (l), <^i,,„„„j , l/'i,,t,„„t , ^out ) I ^oui G 
Out„} ) U ( {{Vin,(l)y^^^y,1py^^^y,v')\Vin £ /"i, } U { W ' , </>i, , „„„ j , l/"!) , t , ^ou 1 1 Wqu t G 
Owti,} U {(«,;„, (/i^,„,„,'0t;i„,t;,'y")k™ G -^««} U {u", ■!/',;,t;o„t , "yout |?^o«t G 

0«i4 ) U {K, aK, «") = C, {}, t;") , K, aiv", v') = ^C, {}, v')} 

- f3' = f3u {/3{v'),f3{v")} \ piv), where 

. = /3(z;) 

. P{v") - /3(z;) 



■_os Sv-_OS 
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Location Tree for location 113 



We call the new locations v' and v" as the children of v. In particular, v' = 
child{v, C) and v" = child{v, -^C), where C is the set of linear constraints used 
to split V. We also call v as the parent of v' and v" . Thus, the split operator 
naturally defines a tree of locations that we call the location tree , where the 
children location are formed by splitting the parent location. 

Definition 4. L HA- approximation to a general hybrid automata: Given a gen- 
eral hybrid automata H ~ {X,V, E,Vi,a, f3), Ha = {X,Va, Ea,Vi^,aa, Pa) is a 
L HA- approximation iff 

— There exists a hybrid automata H' = (X,V' , E' , a' , f3'), where H' = 
split" (H). 

— K = V, Ea = E', VI ^ V^,a' = Oia 

— Vw G 14, PaW) 3 f^'v ^'^'^ */ c G f3a{v), then c is of the form x :— [a, b], where 
a, ben. 
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4 Definitions 

The linear hybrid automaton Ha is an over-approximate approximation of the 
general hybrid automata H . A path p = {wq, vi, ■ ■ ■ v,n\i where Vi &V is said to 
exist in Ha if {vi, G i?, < i < m. 

Consider a path p = {vq^vi, . . .Vm} that exists in the abstract linear hy- 
brid automata model Ha and let LPp{ti,^i{xk),\i{xk)) be the linear program 
corresponding to the path. If the linear program LPp has a feasible solution, 
then the path is said to be feasible in the abstract model i.e. the linear hybrid 
automaton; otherwise it is said to be infeasible . 

Definition 5. Trace: Given a feasible path p in the abstract linear hybrid au- 
tomaton model Ha, the feasible solution to the LP program LPp{ti, jiixk), Xi{xk)) 
is called a trace of Ha ■ 

We writetrace{Ha) =< {vq,Xo{xq) , Ao(a;i) . . . Ao(a;„), 7o(a;o), 7o(a;i), . . .7o(x„),to), 

{vi,Xi{xo), Ai(xi) . . . Ai(x„), 71 (xo), 71 (^^i), • ■ ■li{xn),ti) (wm, Am(a;o), 

A,„(a;i) . . . A,„(x„), 7m(a;o), 7m(a;i), . . . 7,„(x„), t,„) >. 

It is known [?] that the trace obtained by the linear program is a real execu- 
tion trace of the over-approximate linear hybrid automata. 

Definition 6. Concretization of a path: Consider a path p = {vo,vi, . . .Vm} 
that is feasible in the abstract linear hybrid automata model Ha ■ Then, the con- 
cretization of this path in the original hybrid automata H is the trace Pconcrete = 
. . .v^°*}, where vl°°* is the root of the location tree in which Vi is 

a leaf. 

As the split operator forms a tree of locations in the abstract linear hybrid 
automata, the root of the location tree is known and the concretization of an 
abstract path is well defined. 

Definition 7. Concretization of a trace: Consider a trace tr (uo,Ao(a;o) 
, Ao(xi) . . . Ao(a;„),7o(a;o) ,70(2^1), • • ■ 7o(a;«), io), (wi, Ai(a;o), Ai(a;i) . . . Ai(x„),7i 

(a;o),7i(a;i), . . . 7i(a::„), ti) {vm, \ra{xo) , Xra{xi) . . . Xmixn), 7m(a^o),7m(xi), 

. . . "fmixn), tm) > Corresponding to the path p = {wq, "^i, • ■ • ^^m} that is feasible 
in the abstract linear hybrid automata model Ha ■ Then, the concretization of this 
trace in the original hybrid automata H is the trace trconcrete =< (^5°°*' ^o{xo)-, 
Ao(a;i) . . . Ao(x„),7o(xo),7o(a;i), . . . jo{xn),to), Ai(xo), Ai(xi) ...Ai(a;„), 

7i(a;o),7i(xi), . . . 7i(a;„),ti) {v^°\Xm{xo), Xmixi) . . . Xm{x„),jrnixo), 

'Ymixi), . . . jmixn),tm) > , whcrc is the root of the location tree of which 
Vi is a leaf. 

Definition 8. e-Simulation Trajectory: Given a valuation of X i.e. Valo{X) = 
{xq = xO,xi = xl,...Xn = xn) in a location v of a general hybrid system 
H = (X, V, E, Vi,a, (3), then t(xQ, xl, . . . xn, v, t) is said to be an e— simulation 
trajectory for location v with initial valuation Valo{X) iff 

— T{t = 0) = {xO, xl, . . . , xn) 
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— if f(xf), xi, . . . , Xn, t) is the solution to the initial value problem {(3(y), ValQ{X)), 
then f {t) - e < r(i) < f{t) + e 

It is known that numerical techniques can solve the initial value problem for 
ODEs (including non-linear ODEs) quiet efficiently. 

Definition 9. e— Hybrid Simulation Trajectory: Given an initial valuation of 
X i.e. ValQ{X) = (xq = xO, xi = xl, . . .Xn = xn) and a path p = {wq, vi . . . Vm} 
in a general hybrid system H = (X, V, E, Vi, a, (3), then t{xq, Xi^ . . . Xn) ~ fit) 
is said to be an e— hybrid simulation trajectory iff 

— r(0) = ValoiX) and Valo{X) G a(wo) 

— if Xk := e e ilj{vi,Vi+i) then T{xk,YlQi'ti)+ = e) else r(xfe, X^o = 
Tixk,J2litt)~) 

— Before executing the jump (vi,Vi-f.i), T(xk,'^Q{ti)^) satisfies every precon- 
dition in (j)(vi,Vi^i) 

— Within each location Vi where the timed path has spent time ti, 

• yt,ti < t < ti+i, r(w, ^Q(ti) + t) is an e— simulation trajectory for 
location Vi with initial valuation VuIq = TC^liiU))- 

Definition 10. Guided Simulation Trajectory of the concretization of a trace : 
An e— hybrid simulation trajectory t is said to be a Guided Simulation Trajectory 
of a concretized trace tr concrete iff 

— The initial valuation of X i.e. Val^iX) = (xo = xQ^xi = xl,...Xn ~ xn) 
for the trajectory t is the initial point in the concretized trace tr concrete ■ 

— The e— hybrid simulation trajectory r corresponds to the path p — {wq? f i ■ • ■ Vm\ 
corresponding to trcocnrete 

5 CEGAR based Refinement of the abstract linear 
hybrid automata 

The CEGAR algorithm repeatedly constructs LHA over-approximations to the 
given (possibly nonlinear) hybrid system and then asks a LHA analysis engine 
if the over-approximate LHA admits any counterexample. If it does not, we 
are done and we report that the original hybrid system has no counterexample 
either. Otherwise, we take the reported counterexample of the over-approximate 
LHA and attempt to validate it using numerical simulation. If we succeed in 
validating the counterexample, we report an error that the bad state is reachable 
and STOP. Otherwise, we find a location where we need to split the nonlinear 
hybrid automata and then rebuild a more precise over-approximate abstraction. 
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Algorithm for CEGAR 

(Input: Nonlinear Hybrid Automata A. Output: Error No error 

1. Aq = A; i := Q: L = Universe. 

2. LHAi = LHA-approximation {Ai) 

3. C{LHAi) := Language of LHAi. ^ represents tlic set of po- 
tential counterexamples in A.^ (finitely expressible as a regular 
expression) [?]. 

4. L = L n C{LHA,) 

5. If L is empty, report "BAD STATES NOT REACHABLE" 
and stop. 

6. Pick a counterexample ce in i. 

7. Validate the counterexample ce in the original hybrid au- 
tomata A. 

8. If ce is validated in A, stop and report that ERROR STATE 
IS REACHABLE. 

9. Compute a refinement operator split, and A^+i = split{Ai). 
Also, compute L = split[L). 

10. i i + 1 

11. Loop to Step 2. 



5.1 Counterexample Validation and Structural Robustness 

Let wq, 7o(2;o)j 7o(2;i) . . . 7o(2;n), io be the initial point in a concretized trace 
trconcrete for the abstraction i.e. the linear hybrid system Ha corresponding to 
the general hybrid system H. Let T(^vo.xo,xi,...x„) be the e— Hybrid Simulation 
Trajectory starting from this initial point. 

Definition 11. e— Structurally Robust Hybrid System: A hybrid system H = 
{X,V, E,Vi, a, f3) is said to be structurally robust iff 

— V«, (wi, (/), V', '^i+i) £ E, every constraint c in (j) is satisfied by at least a 
dense set of size e i.e. If S ~ {Val — (xq, xi, . . . Xn)\Val satisfies c}, then 
maxa(zs'^i'nbesd{a,b) > e. 

In particular, we allow only sampled comparisons x :=e c, which is a short- 
hand for [|J X e < X < [|] X e. 

Definition 12. e Robust Hybrid Simulation Trajectory: Given an initial val- 
uation of X i.e. Valo{X) = (xq = xO,xi = xl,...Xn ~ xn) and a path 
p = {vo,vi...Vm} in a general hybrid system H = {X,V, E,Vi,a, l3), then 
t{xo, xi, . . . Xn) = f{t) is said to be an e— robust hybrid simulation trajectory iff 

- t(0) = ValaiX) and ValaiX) e a{vo) 

- if Xk := e G -(/"(wi, w^+i) then T{xk,Y.o{^'i)+ = e) else T{xk,J2oi^i)+) = 

— Before executing the jump {vi,Vi+i), T{xk,J2oi'^i)^) satisfies every 
precondition in Wi+i) e— robustly . 
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• A linear constraint c is e— robustly satisfied by X ~ {xo,Xi, . . .) iff for 
every X' such that d{X,X') < e), c(X') is true. 

— Within each location vi where the timed path has spent time ti, 

• Vi; < t < ti+i, r(w, '^Qiti) + t) is an e— simulation trajectory for location 
Vi with initial valuation VoIq = T^J^oiti))- 

Theorem 1. If T(^vo,xo,xi,...Xrt) ^~ Robust Hybrid Simulation Trajectory 

starting from the initial valuation Valo = 'yo{xo),'yo{xi) . . .joi^n), o,nd H be 
a e— structurally robust hybrid system, then trconcrete corresponds to a real 
counterexample for the hybrid system H . 

Proof. The proof follows from the definition of e— robust hybrid automata and 
the notion of e— hybrid simulation trajectory. 

5.2 Simulation Based Abstraction Refinement 

Consider the concretization of a trace trconcrete with respect to the general hybrid 
automata H obtained from a trace tr of the abstract linear hybrid automata Ha. 
Also, consider the guided hybrid simulation trajectory Ttr^anar^ta corresponding 
to the concretization of the trace tr with respect to the general hybrid automata 
H. 

Metrics for distance between trace and trajectory We define two dis- 
tance metrics between a trace and the corresponding guided hybrid simulation 
trajectory. 

— D{t) = d{Ttr,^^^,.^^^{t),trconcreteit)). 

This is simply a distance metric between corresponding points on the trace 
and the trajectory. The metric d may be the Euclidean distance metric or 
the Manhattan distance metric (linear function). 

— D'{t) = d'{d{Ttr,„^,^„^tSt),trconcrete{t)),d{Ttr,„„„,t,{t~),trconcrete{t-)) 

This metric measures how rapidly the guided hybrid simulation trajectory 
is moving away from the trace. The metric d may be the Euclidean distance 
metric or the Manhattan distance metric (linear function), while the metric 
d' may be the real difference, t— represents the last instant of time for which 
the value of the concretized trace is known. 

Strategies to choose the location to be refined Let ti be the discrete 
point on the concretization of a trace i.e. on trconcrete for which trconcrete{t) is 
known from the solution of the LP problem. There are few different strategies to 
choose the location in the approximate linear hybrid automata, where one needs 
to refine the abstract hybrid automata Ha- 

— mini\D{ti)\ > e , where e is an empirically determined constant. 

— mini\D' iti) — D'{ti-i)\ > e, where e is an empirically determined constant. 
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— mini\D' (ti) / D' {ti-i)\ > e, where e is an empirically determined constant. 

After finding out the point ti where one needs to refines the location, the 
location Vi at the time ti which needs to be split is easily known from the 

concretized trace. 

Choosing the variable to split the location When a simulation trajectory 
differs substantially from the trace obtained by the LP solution, we need to split 
the location at which the difference is substantial along a hyperplane such that 
the abstract hybrid automata formed by the linear hybrid automata has a trace 
that is close to the simulation trajectory. Let D be the metric used to decide if 
a given location should be refined; then we split those variables into half-spaces 
which have contributed beyond a threshold to D. 

6 Conclusion and Future Work 

This early draft discusses the core issues involved in building a CEGAR frame- 
work for analyzing nonlinear hybrid systems. The central idea is to use linear pro- 
gramming as a mechanism for obtaining feasible traces of the over-approximate 
linear hybrid automata (LHA) abstractions and numerical simulation for obtain- 
ing a corresponding trace of the original (possibly nonlinear) hybrid system. The 
distance between these two traces is then used to guide the refinement step in 
our CEGAR loop. 

Several practical issues like the choice of the distance metrics, the choice of 
picking up a particular solution to the linear program and a characterization of 
the nonlinear functions which can be handled using this paradigm have been left 
to a more complete version of this draft. The techniques presented here are also 
being implemented into a tool which will be a successor to the IRA meta-tool 
for analyzing LHAs. 
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